TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Quarkslab

A Nerd's Life: Weeks of Firmware Teardown to Prove We Were Right

Damien Cauquil · 2026-03-11 · Read original ↗

ATT&CK techniques detected

4 predictions
T1027.002Software Packing
99%
“5th 2026 file size ratio format name - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - upx : fw _ add : notpackedexception : not packed by upx unpacked 0 files. these executables have been modified to avoid easy decompression, some ki…”
T1027.002Software Packing
95%
“a compressed 64 - bit elf file with the end of our scrambled file : upx metadata structure located at the end of a normally upx - compressed executable upx metadata structure of a compressed - then - scrambled executable it appears our scrambled file has 32 extra bytes after this…”
T1027.002Software Packing
91%
“' s screen. eventually, we had to admit the hr _ fake text string found when we began this analysis was absolutely not a lie, but instead a feature ' s name used by a conscientious and honest developer. bonus : unpacking jieli ' s firmware tools during our analysis of jieli ' s t…”
T1486Data Encrypted for Impact
76%
“stream cipher algorithm similar to crc16 - ccitt, initialized with a 16 - bit key that is derived for each 32 - byte memory block based on their block index. a 16 - bit root key is used as well in this algorithm, and seems to be specific to each chip family and model. based on th…”

Summary

In a blog post published last December, we demonstrated how we managed to extract the firmware from a smartwatch by exploiting an out-of-bounds read vulnerability and spying on its screen interface. Follow us on our long and unexpected journey to figure out how this smartwatch can measure heart rate or blood pressure with no visible sensor, the problems we encountered while analyzing its firmware, and how we solved them to uncover The Truth about this device.